Why we invested in Synack
This article was co-written by B Capital Group Senior Principal Mike Fernandez and General Partner Rashmi Gopinath.
Regardless of sector or structure, organizations are increasingly confronted with ever-expanding threats in the form of cyberattacks. As recently as last year, cybersecurity ranked as the number one concern among CEOs of the largest companies in the world. The threat has remained (and even grown) in the wake of COVID-19 with the shift to remote work, which provides a larger attack surface for hackers to target at a time when attention is focused on pressing and urgent concerns and stakes for many companies are sky-high. Enterprises are facing increasingly sophisticated opponents and will need to continuously improve the frequency and coverage of their penetration capabilities.
This increasingly critical challenge is one reason we’re proud to announce B Capital’s investment in Synack’s Series D funding round, which we co-led with C5 Capital. Our firm actively looks for cybersecurity platforms that fundamentally improve an organization’s security strategy and posture. CISOs today are facing vendor fatigue, a shortage of skilled cybersecurity talent, and lack of insight into the true vulnerabilities in their tech. We look for companies in the crowdsourced security testing space that are well-positioned to address these challenges and understand the increasing vector of rapidly evolving security vulnerabilities due to expanding attack surfaces and exponential growth in types of attacker groups. Synack demonstrated an unparalleled offering that addresses these issues and more.
Our General Partner Rashmi Gopinath previously led Synack’s Series C investment in her role at Microsoft’s M12 Ventures, and we were impressed to see the company continue its growth trajectory. As the world’s most trusted crowdsourced security platform, Synack is already used by hundreds of Global 2000 and government clients, accounting for over $1T in revenue and comprising over 50% of cabinet-level agencies in the United States. The company has also built a successful expansion strategy in international markets such as the Middle East, Europe, and Asia and amassed a network of ethical hackers in over 82 countries. In a time when the cybersecurity threat has never been greater and amidst a shortage of skilled talent and unsteady corporate budgets, Synack offers the clearest path to meeting these challenges.
Cybersecurity’s history is rooted in government-grade systems testing
In 1967, the U.S. Department of Defense asked Willis Ware at the RAND Corporation to prepare a report on the risks of penetration of computer systems by malicious actors. The seminal report, entitled “Security and Privacy in Computer Systems” effectively launched the cybersecurity industry and planted the seeds for pre-emptive penetration testing of systems to discover security vulnerabilities. By the 1970s, the U.S. military was using internal “Tiger Teams” to test systems and in 1986, the Computer Fraud and Abuse Act legalized the contracting of an outside provider to intentionally penetrate one’s own computer systems. While the profession of cybersecurity remained the province of small internal security teams and external consultants working for the government, by 1995 Netscape asked the public to help identify bugs in its Navigator web browser, launching the first modern crowdsourced bug bounty program.
Before founding Synack, Jay Kaplan and Mark Kuhr spent two decades at the NSA, working in this community of elite experts to protect our nation’s most critical assets against security hacks. They applied years of observation and learnings from penetration testing and crowdsourcing to founding Synack in 2013, building the first crowdsourced cybersecurity vulnerability platform designed for Global 2000 corporations and governments. Synack’s virtual model, bringing together highly vetted and best-in-class security researchers from around the world, transformed penetration testing from a one-off exercise into a repeatable and scalable activity that continuously protects critical digital assets.
Synack brings elite security to a digital world
The elite nature and structure of its ethical hacker network is at the heart of Synack’s offering, and one of the key differentiators we saw when evaluating the investment opportunity. While other bug bounty platforms prioritize the size of the network of researchers over the quality of their expertise, Synack stood out to us because of the unparalleled focus on attracting the most elite and skilled ethical hackers around the world and working with purpose-built technology that further enhances the scale and quality of their results.
Synack’s highly selective “Red Team” is made up of over 1500 independent security researchers from over 82 countries worldwide. Only 12% of applicants are accepted to the Synack Red Team after undergoing thorough skills assessments, interviews, and background checks, on par with many Ivy League universities. In addition, Synack offers a secure platform where client assets are tested in tightly controlled environments to ensure complete enterprise-grade security and privacy. This provides peace of mind for clients concerned about exposing vulnerabilities or sensitive data, and it means that being a Synack Red Team membership has become an elite badge of quality and source of pride for the researcher community
In addition, we observed Synack’s approach to pen testing uses software-driven, fully remote tools. While we were already impressed with the benefits a flexible, adaptive testing system, this approach has become even more significant in the COVID-19 world, as many traditional penetration testing services rely on having a physical presence at the client site to ensure security.
Despite the tremendous success that Synack has had in changing the standard for penetration testing frequency and applicable targets, B Capital is confident that the company is at the cusp of achieving even greater expansion and impact of its platform. We are excited to partner with the team on global expansion and the evolution of Synack’s AI-driven automated testing platform, which leverages existing Red Team results to provide continuous vulnerability scanning. And Synack’s growing set of APIs create interesting opportunities to seamlessly integrate penetration testing into the DevSecOps process. Jay (CEO), Mark (CTO), Jim (COO), Aisling (CBO), and the rest of the Synack team have built an exceptional business changing the definition of what is possible with human-augmented intelligence in cybersecurity, and we look forward to this journey together.